The Internet Protocol (IP) basically operates with small portions of data called packets containing a header that contains the destination address and the source address. The IP protocol being connectionless, the routers of the network route packets based on the destination address without considering the source address.
However, the handling of the source address by unauthorized people can create a problem which is known as “spoofing” which is the number one problem with Internet. Indeed, to gain access to some resources, intruders create packets with spoofed source IP addresses. Such packets can be routed through filtering firewalls if they are not configured to filter incoming packets whose the source address is in the local domain. It is important to note that this attack is possible even if no reply packets can reach the intruder. Configurations that are potentially vulnerable include routers to external networks that support multiple internal interfaces, routers with two interfaces that support subnetting on the internal network, proxy firewalls where the proxy applications use the source IP address for authentication, and routers or gateways accessing internet with tunneling to an internal network.
Network administrators have the option to use source address filtering on their routers with the aid of anti-spoofing filters. However, these filters have some limitations depending on the type of spoofing and network implementation.
One of the best known dangers of spoofing is the use of spoofing in combination with sniffing in order to perform an attack where the sniffed data are used to generate a response that is based on the spoofed address translation in order for the machine of the spoofer to make the target believe that it is the entity which is trying to contact.
An example of spoofing combined with sniffing is Domain Name Server (DNS) spoofing wherein a DNS server accepts and uses incorrect information from a host that has no authority to provide such this information. Such an attack may cause users to be directed to wrong internet sites or e-mails being routed to non-authorized mail servers.
Another significant spoofing type is used with Address Recognition Protocol (ARP). In the ARP spoofing, hackers can discover active devices on a local network segment by sending a simple series of ARP broadcasts and incrementing the value of the target IP address field in each broadcast packet to find the hardware address of a destination. This spoofing method is similar to DNS spoofing, but applies only one layer and is used in lower layers in the TCP/IP stack, and may be used on switched networks as well. With this method, the attacker can convince any host or router that it is the host or router on the local network that it should forward its IP packets to the attacker. This method is now commonly used for sniffing switched networks. Before communicating with a host, an IP device must obtain the hardware address of the destination host or the next-hop router along the path to the host. ARP cache poisoning is one of the most efficient attacks in directly manipulating the cache of a target device in order to either add a new entity in the table or update an existing entity. This allows for different attacks such as the interception of all flows from one device to another device. This attack is more commonly known as the “man in the middle” attack.
There are several solutions enabling to protect a network against spoofing attacks. One of these solutions is illustrated in FIG. 1 which describes the environment from a host 13 to a server 18 through a secure tunnel. The secure tunnel uses the standard IPsec for tunneling and encryption over an unsecure network NET 10 between two peer routers R1 14 and R2 15. Host 13 can reach the router 14 via LAN 11. The content servers such as server 18 are reached through another LAN 12. Authentication is performed through a portal or a gateway GW 17. When authentication is performed, the gateway provides access to server S 18. It must be noted that network 10 can be either the Internet or an Intranet network.
In the environment illustrated in FIG. 1 sharing the same IPsec tunnel, there is a need for user authentication. Many solutions exist for this authentication, but none that can simply verify that no host IP address spoofing is performed during the connection. The technique based upon Secure Socket Layer (SSL) provides this authentication and some anti-spoofing mechanisms thanks to the keys being used.
SSL is the standard method sharing secret by using public and private keys. Since the host and the gateway are using the same secret key for encrypting and decrypting their information, they can have a certain comfort in knowing this information cannot be intercepted and decoded by a third party. But this depends on whether the encryption is strong or weak and the protection provided by SSL is not sufficient for preventing some attacks.
Furthermore, such a secure solution like SSL has performance drawbacks and security limitations as well as being designed primarily for web server access. SSL includes encryption whereas the remote access generally provides also encryption thanks to IPsec. The SSL encryption cannot be removed. Moreover, SSL includes also the encapsulation which is therefore done twice if there is an IPsec tunnel. So, using this existing mechanism does not help to reduce the overhead and the encryption processing of the system.
FIG. 2 describes an alternate solution applied to the same network system as the one illustrated in FIG. 1. Such a solution, using standard protocols such as IPsec AH or 802.1x as an access control method (ACTL) between host 13 and router 14, offers the host authentication but not the user authentication. Since hacking a PC password is easy, this solution is not very secure since no user authentication is performed. Both mechanisms need router capability to do that, which means that the same administrative entity should have administrative control over the router and the hosts and activate function. Therefore, such an alternative is complex to implement and provides insufficient security.